Search the Community

Hello I used Eddie software to connect AirVPN's servers. I tried to sniff traffic when Eddie software started and I found a privacy/security issue due to authentication. Eddie sends encoded data to AirVPN website via HTTP in clear (before and after login)! BEFORE AND AFTER LOGIN: * Host: 52.48.66.85:80 (Amazon Server with AirVPN website) - Request: POST / HTTP/1.1 Host: 52.48.66.85 User-Agent: curl/7.55.1 Accept: */* Content-Length: 817 Content-Type: application/x-www-form-urlencoded s=[ENCODEDD_DATA_HERE] (what data is sent before login and what after?) - Response: HTTP/1.1 200 OK Server: nginx Date: Wed, 13 Sep 2017 16:20:38 GMT Content-Type: application/octet-stream Content-Length: 65472 Connection: keep-alive Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-AirVPN-Bk: 1 So Eddie uses AirVPN website (HTTP post) to authenticate user. This is a very security/privacy concern because any entity with access to that Web Site (AirVPN admins and Law enforcement) can catch user's real IP address (username -> Real IP address -> VPN Server used). Many users chose to register on AirVPN website via proxy. Current AirVPN's login schema bring any security/privacy behavior done by user during registration completely useless. Thank you